The first annual Security Decisions conference was held in Chicago last month. On the final day of the conference, back-to-back sessions were held on the topic of intrusion detection. The first presentation was conducted by information security specialist Jeff Posluns. Jeff discussed the technical issues behind intrusion detection, from IDS software to less common signs of intrusion. The second speaker was FBI supervisory special agent Walter Wright who discussed the legal issues involved after an intrusion has been detected.
Jeff Posluns began his presentation by discussing the variety of IDS software available, from freeware to commercial software, and what the different detection methods were and how they could be employed. Following is a list of the types of software available and some of Jeff's comments:
- Pattern matching/Signature based: Like antivirus software, a list of known attacks is maintained and all traffic is compared to this list. This is the most common IDS software on the market.
- Frequency: This analysis method will identify repeated events such as brute force attacks or DOS attacks.
- Filter / Rules violation: This analysis method will generate an alert whenever someone -- or some system -- tries to access a resource that is identified as protected. The success of this method is largely based on the effectiveness of your overall security infrastructure.
- Policy violation: Alerting based on standard security policies and user access lists that requires a detailed analysis of system, event and server logs.
- Anomaly detection: Alerts are generated whenever the system notices activity other than the normal network traffic. Because networks are ever-changing, this method generates a lot of false positives.
- Correlation of multiple sources: This is a software that can take information from multiple sources and make sense of the various alerts from other IDS software.
Jeff stressed that a combination of methods is usually best. In the second half of his presentation, Jeff discussed specific hacker methods and made a point to note there are other places to look for intrusion detection evidence other than IDS software, such as:
- System logs
- Router logs
- Firewall logs
- Authentication logs
- Physical security logs (access cards)
- Telephone logs
- File system dates and times
Knowing how to detect an intrusion is great, but what if you are too late? FBI special agent Walter Wright's presentation explained the importance of building evidence against hackers. The FBI recognizes the threat of cyber crime and cyber terrorism. Agent Wright discussed the creation of the National Infrastructure Protection Center in his presentation. He also discussed the FBI's partnership initiative called Infraguard. Infraguard is a government/private sector alliance to share information about cyber threats. Visit the Infraguard Website to learn more about this program.
There will always be threats to your business' information, but even worse than a security breach is not knowing that you've been breached. Developing an intrusion detection system is essential to a secure organization.
About the author
Benjamin Vigil is a technical editor at SearchSecurity.
This was first published in July 2002